// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRF-01DTG 0600Z
ColdRecon / Brief Archive / Week of February 16, 2026
Signal Brief · Archived

Week of February 16, 2026

2026-02-16 — 2026-02-22 · 6 PUBLIC EVENTS · GENERAL / NON-PERSONALIZED

In the week of February 16, 2026, ColdRecon logged 6 public endpoint-security events from open-source reporting — 3 research pocs, 3 vuln disclosures. Vendors in the record this week: Microsoft, IBM.

The Week's Public Record

Events

2026-02-19
research poc
Research Demonstrates Windows Defender Evasion via PPL ManipulationPPL-Manipulation-Defender-Evasion
A research proof-of-concept shows that elevating a user-mode process to WinTcb-Light protection level via a kernel driver can prevent Microsoft Defender from terminating or remediating it, despite detection telemetry. The technique exploits the PPL signer hierarchy where WinTcb (level 6) outranks Antimalware (level 3). It is not a reliable bypass due to driver signing requirements and PatchGuard.
2026-02-19
research poc
Google researchers discover PromptSpy malware using Gemini for autonomous Android navigationPromptSpy
Google researchers discovered a malware named PromptSpy that leverages Gemini to autonomously navigate Android devices by interpreting on-screen activity and generating commands. This demonstrates AI-assisted malware capable of real-time, context-aware device manipulation, raising concerns about AI-driven endpoint threats.
2026-02-19
research poc
Bypassing Anti-Frida and Watchdog Protections in OWASP UnCrackable Level 3 Android AppOWASP UnCrackable Level 3 Bypass
A security researcher demonstrates bypassing anti-Frida and watchdog protections in the OWASP UnCrackable Level 3 Android app. The app uses native code to detect Frida and Xposed by scanning /proc/self/maps and terminates via raise(6) if found. The researcher hooks the detection function to prevent termination and then patches the tampered flag to bypass integrity checks.
2026-02-18
vuln disclosure
CVE-2022-23278: Microsoft Defender for Endpoint EDR Sensor Spoofing VulnerabilityCVE-2022-23278
CVE-2022-23278 is a spoofing vulnerability in Microsoft Defender for Endpoint's EDR sensor that could allow network-based attackers to manipulate security telemetry or impersonate trusted components. The flaw affects Windows, Linux, macOS, and Android endpoints, requiring no user interaction or privileges but with high attack complexity. Successful exploitation could undermine endpoint detection integrity across heterogeneous environments.
2026-02-17
vuln disclosure
IBM QRadar EDR Authentication Bypass via Insufficient Session ExpirationCVE-2025-36377
CVE-2025-36377 is an authentication bypass vulnerability in IBM Security QRadar EDR 3.12 through 3.12.23 caused by insufficient session expiration. Authenticated users can reuse expired session tokens to impersonate other users, potentially gaining unauthorized access to EDR management functions and sensitive security data. IBM has released patches to address the issue.
2026-02-17
vuln disclosure
CVE-2025-36379: Weak Encryption in IBM Security QRadar EDRCVE-2025-36379
IBM Security QRadar EDR versions 3.12 through 3.12.23 use inadequate encryption strength (CWE-326), potentially allowing remote attackers to decrypt highly sensitive information. The vulnerability has high attack complexity and no known exploits in the wild. No patches are currently available.
Every event in this brief is a record in ColdRecon's canonical set, drawn from public open-source reporting and linked to its source. This is the general, non-personalized signal — published 7 days after the fact. The live daily brief, written for your deals, is for cleared officers.

This is last week, public. Get this morning's, written for you.

The live ColdRecon brief lands at 0600 daily — the same signal, filtered to your competitors and framed for your deals. Request clearance and tomorrow's is yours.

Request Clearance →